Configure SA Account

FineBuild can configure the sa Account so that it is disabled and optionally renamed. This is done to make it harder for anyone who is not aware of the site SQL Server configuration to compromise SQL Server security.

It is considered to be good practice to disable the sa account, as this eliminates an attack vector on to SQL Server.

It is no longer considered to be good practice to rename the sa account. This is because of repeated experience where upgrading SQL Server to a new edition or Service Pack has failed if the
sa account has been renamed. Although this can be considered as a bug, the risk of Microsoft repeating this problem in future Service Packs or other fixes of SQL Server has to be taken into account. Each site should take their own view about renaming
the sa account.

If the sa account is renamed, it is possible that some applications are written so that an account called
sa is needed to perform the application install. In this situation, it is recommended that a new account called
sa is created for the duration of the install process, and then deleted when the install is complete.

Security Compliance

SA Account configuration helps to prevent unexpected use of the system administration account. If you setup
Security Compliance then SA Account configuration will always be implemented.

FineBuild Configure SA Account

The sa Account configuration relates to Process Id 5CD and is controlled by the parameters below:

Parameter

Build

SQL2005

SQL2008

SQL2008 R2

SQL2012

SQL2014

SQL2016

SetupDisableSA

FULL

Yes

Yes

Yes

Yes

Yes

Yes

SetupDisableSA

WORKSTATION

Yes

Yes

Yes

Yes

Yes

Yes

SetupDisableSA

CLIENT

N/A

N/A

N/A

N/A

N/A

N/A

In order to maintain compatibility with older versions of SQL FineBuild, the parameter
ConfigDisableSA can also be used.

FineBuild also uses the following parameters to help Configure Sysadmin Accounts:

Parameter

Default Value

Description

saName

sa

New name for the sa account

FineBuild will automatically disable and optionally rename the sa account.Top

Manual Configure SA Account

The following steps show what you would have to do for manual SA Account configuration. FineBuild does all of this work for you automatically.

1) Disable the sa account by running the following SQL statement in a SSMS query window:

ALTER LOGIN [sa] DISABLE

2) Optionally, within a query window enter the following command to rename the sa account.